Internal Audit Fiscal Year 2016 Annual Audit PlanInternal Audit Fiscal Year 2017 Annual Audit Plan September 2016 Plan Approved David C. Mattax Commissioner of Insurance. 9/14/16

Internal AuditFiscal Year 2017

Annual Audit Plan

Texas Department of InsuranceInternal Audit Division

September 2016

Texas Department of Insurance333 Guadalupe | Austin, Texas 78701

(800) 578-4677www.TDI.texas.gov

First printing, September 2016

Publication ID: IAAP | 0916

This document is available online at www.tdi.texas.gov/reports

Texas Department of InsuranceInternal Audit Fiscal Year 2017 Annual Audit Plan

September 2016

Plan Approved

David C. MattaxCommissioner of Insurance

9/14/16Date

W. Ryan BrannanCommissioner of Workers’ Compensation

9/14/16Date

Greg Royal, CPA, CIA, CGAP, CRMAInternal Audit Director

9/14/16Date

This page is intentionally blank.

Table of ContentsOverview of TDI Internal Audit Fiscal Year 2017 Annual Audit Plan .................................... 3

Schedule 1 – FY 2017 Internal Audit Plan Projects ...................................................................... 9

Schedule 2 – Internal Audit Organization Chart ...................................................................... 10

Schedule 3 – FY 2017 Annual Operating Budget .......................................................................... 10

This page is intentionally blank.

Texas Department of Insurance | www.tdi.texas.gov 3

Internal Audit Fiscal Year 2016 Annual Audit Plan

Overview of TDI Internal Audit Fiscal Year 2017 Annual Audit PlanIntroductionThis document provides the Fiscal Year (FY) 2017 Audit Plan as required by professional auditing standards and the Texas Internal Auditing Act (Texas Government Code, Ch. §2102.008). This plan provides our vision of Internal Audit efforts for FY 2017, allocating resources to the most critical areas within the Texas Department of Insurance (TDI).

Projects were identified for the Audit Plan by using a risk assessment model that considered input from TDI management, commissioners, and the State Auditor’s Office. Using that input, staff exercised auditor judgment to prioritize projects for FY 2017.

Audit Charter and DefinitionThe Audit Charter approved by the commissioners in November 2015 provides authorization to Internal Audit personnel for full, free, and unrestricted access to any of the agency’s systems, records (manual or electronic), functions, property, and personnel relevant to the performance of statutory responsibilities and duties assigned by the Commissioner of Insurance and the Commissioner of Workers’ Compensation. The charter also defines reporting relationships and the scope of audit work, as well as audit reporting and follow-up responsibilities.

As the internal audit profession has evolved, so has the definition of our work efforts. The mission of Internal Audit is to enhance and protect organizational value by providing risk based and objective assurance advice and insight. The definition states:

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

Risk AssessmentInternal Audit developed the Audit Plan by first conducting a comprehensive risk assessment of agency program activities. We then selected projects for FY 2017 based on relative risk and available hours.

Risk assessment is a systematic process for assessing and integrating professional judgments about probable adverse conditions and/or events. This process provides a means to organize and integrate professional judgments for project selection and work schedule development. Activities with higher risk were assigned higher audit priorities. Internal Audit used the risk assessment results for recommending projects.

We assessed risk within TDI by sending out agency-wide questionnaires and interviewing selected executive management, as well as other management responsible for championing the agency Balanced Scorecard and Enterprise Risk Management (ERM) programs. Then, staff used the following criteria to determine the relative risk of each program activity and select projects:

� Criticality to agency mission � Prior audits or studies � Size or complexity of operations � Quality of internal controls � Other high-risk indicators � Auditor judgment

The activities used in our analysis came from the following sources: � Activities identified from questionnaires and interviews � Prior division-level ERM footprints last obtained in 2013 � Balanced Scorecard

4 Texas Department of Insurance | www.tdi.texas.gov


An information technology (IT) specific risk assessment was also performed. Internal Audit used similar criteria for the IT assessment to distinguish risk between application controls and general controls. The criteria used to rate applications included:

� Current utilization � Criticality � Interfacing with other applications � Technological complexity � Number and types of users � Prior audits � Vendor support � Auditor judgment

The following criteria were used to rate IT general controls: � Control environment � Change management � Development life cycle � Logical access � Incident management � Technical support � Hardware and software � Disaster recovery and backup � Physical security

General controls are control procedures that exist in the IT environment as a whole, while application controls exist specifically for each application. Projects selected cover both general and application controls.

Allocation of HoursPrevious audit plans distributed project hours into 10 core functions that comprised TDI’s regulatory and administrative responsibilities which followed the agency Strategic Plans. The chart in Figure 2 depicting historical data reflects this allocation. The agency changed the Fiscal Year 2017-2021 Agency Strategic Plan and project hours are allocated to the current goals and action plans, shown in Figure 1. We allocated 9,246 hours to audit and consulting projects, including 5,826 hours for new projects and 3,420 hours for carry-over projects. All IT, legal, and administrative operations projects are included in agency-wide operations. In addition, there are 400 hours for special requests and 250 hours for miscellaneous advisory projects, which are dispersed evenly to each core function area. The last chart in Figure 3, allocates hours to the four agency balanced scorecard perspectives.

Figure 1 below allocates hours among the agency goals and action plans as depicted in the Fiscal Year 2017-2021 Agency Strategic Plan.

Figure 1: FY 2017 Agency Goals and Action Plan Coverage Hours

Agency-wide Operations

Workers' Comp System Regulation

Insurance Operations 3,763

3,793

1,689



Figure 2 below compares Internal Audit’s actual coverage for FY 2014, FY 2015, FY 2016, and budgeted coverage for FY 2017. These 10 core functions were from prior strategic plans. The 2015-2019 Agency Strategic Plan had Workers’ Compensation as a separate category for the first time.

Figure 2: Historical Core TDI Function Coverage Hours

0 500 1000 1500 2000 2500 3000

Support Services

Workers' Compensation System Regulation

Inspections and Consultations

Enforcement, Fraud, and Investigations

Complaints and Dispute Resolution

Education, Outreach, and Customer Assistance

Research and Analysis

Examination, Monitoring, and Solvency Intervention

Form, Rate, and Advertising Review

Licensing, Certification, and Registration

FY 2014 Actual FY 2015 Actual FY 2016 Actual FY 2017 Budgeted

Figure 3 below shows the coverage of each of the four Balanced Scorecard Agency Perspectives.

Figure 3: TDI Balanced Scorecard Perspectives Coverage Hours

Customer

Financial Stewardship

Policy and Process

People, Tools, and Technology 1,689

3,945

340

3,275

Acceptable Level of RiskAlthough the plan contemplates a wide-ranging scope of audit effort, it does not provide coverage for all TDI components or systems. We attempted to maximize limited Internal Audit resources to provide reasonable coverage of the business activities we believe require the most attention.

However, because we cannot address every risk area, it is important the commissioners and management understand the limitations of the audit coverage and the risks they assume in unaudited areas. This plan allocates Internal Audit resources to the agency’s most important priorities and risks at this point in time. The Audit Plan also includes 250 hours for special audit requests from the commissioners or executive management that may occur during the year.



The Internal Audit Division is committed to being a valuable resource in improving the agency’s operations and proposes a plan that targets key processes, yet builds flexibility to allow for commissioner and management special requests that require immediate attention. After accounting for scheduled holidays, vacation, sick leave, required training, and administrative projects, 9,426 hours are available for audits, consulting activities, investigations, and special requests.

FY 2017 Internal Audit Plan AllocationThe Audit Plan depicts hours allocated to audit engagements in various divisions and sections of the agency and is shown in Schedule 1. The Audit Plan includes the following sections:

Projects Carried ForwardSome projects that began in FY 2016 were not completed by the end of the fiscal year. The following projects were started in FY 2016 and have hours allocated in FY 2017 to complete the project: Business Continuity, Regulatory Policy, Designated Doctor Exam Scheduling, Workplace Safety, Agent & Adjuster Licensing, and Risk Assessment for FY 2017. Other projects that were not started in FY 2016, yet are still included in the FY 2017 Audit Plan in some format include Rehabilitation, Liquidation & Oversight, Controls Survey, and TeamMate build-out of other modules.

In addition, the division underwent an independent quality assurance review, which was completed with a report issued in September 2015 and the division obtained the highest rating. Internal Audit staff participated in a quality assurance review of another state agency in FY 2016 and plans to participate in FY 2017.

Information Technology Services ProjectThe project listed will assess IT general and application controls and is specific to the agency environment and specific applications. Although most audit projects have an IT component included in the audit scope, this project will have a scope and objectives specific to IT controls in place.

Financial/Performance Assurance ActivitiesInternal Audit provides assurance services for TDI which are defined as objective examinations of evidence for the purpose of providing an independent assessment on risk management, control, and governance processes for the agency. Examples may include financial, compliance, economy and efficiency, effectiveness, investigations, and information technology engagements.

Hours allocated in this section are dedicated to projects that were selected through the agency-wide risk assessment.

Special InitiativesIn addition to assurance and consulting engagements, Internal Audit allocates resources toward special initiatives. These initiatives include any liaison activities which may occur during the year and special requests to be responsive to the immediate needs of the commissioners and management.

Consulting/Advisory ActivitiesBy definition, internal auditing includes the provision of consulting services. Consulting services are advisory and related client service activities, the nature and scope of which are agreed upon with the client. These activities are intended to add value and improve an organization’s governance, risk management, and control processes without the internal auditor assuming management responsibility. Examples include counsel, advice, facilitation, and training.



Progressive Internal Audit departments provide additional management assistance or consulting services to their organizations. We will continue to provide representation on TDI committees and work groups as needed and requested by the Commissioner of Insurance, the Commissioner of Workers’ Compensation, and management. Upon request, we will provide both formal and informal advice and suggestions on management issues, concerns, and draft policies and procedures.

By providing consulting or advisory activities, Internal Audit adds value to TDI beyond assurance services and assists in strengthening agency internal controls.

Administrative ActivitiesWe included hours for various administrative activities of the Internal Audit Division, some of which are mandated either by the professional standards or statute we are required to follow. Department leave time is also included to show a full picture of hours to be used by Internal Audit during the year.

Professional StandardsWe adhere to Government Auditing Standards, as promulgated by the U.S. Government Accountability Office and the International Standards for the Professional Practice of Internal Auditing, as promulgated by the Institute of Internal Auditors, which includes the Code of Ethics. In addition, we conform to requirements found under the Texas Internal Auditing Act (Texas Government Code §2102) and comply with all policies and procedures of TDI.

Performance MeasuresInternal Audit performance measures for FY 2017 are as follows:

� Complete development and approval of the Fiscal Year 2017 Audit Plan by September 30, 2016. � Complete the FY 2016 Annual Internal Audit Report by November 1, 2016. � Complete 80 percent of the scheduled FY 2017 Audit Plan projects. � Spend a over 60 percent of total planned hours available on direct audit and consulting work. � Obtain management acceptance of 95 percent of audit issues and/or recommendations. � Obtain management satisfaction on at least 80 percent of audit assurance and consulting activities.

Internal Performance Measure results for FY 2016 were: � FY 2016 Audit Plan was approved in September. � FY 2015 Annual Internal Audit Report was completed in October. � Seventeen of the 29 projects in the 2016 Audit Plan were completed by the end of FY 2016 (59 percent). There

were six on-going projects carried over into the FY 2017 Audit Plan along with two projects carried forward that had not started, two projects combined and carried forward and two projects canceled.

� Internal Audit spent less than 60 percent of total hours available on direct audit or consulting work in FY 2016, as we experienced significant turnover of senior level staff; during the fiscal year four new auditors and a new executive assistant replaced staff leaving or retiring. Due to training new staff, approximately 33 percent of recorded time was spent on administrative or staff development activities.

� Management acceptance of audit issues and/or recommendations exceeded 95 percent. � Management satisfaction from returned surveys exceeded 80 percent of audit assurance and consulting

activities.

Audit Organization Staffing and BudgetA current organization chart for Internal Audit is attached to this plan and shown in Schedule 2. The division includes nine full-time equivalent positions: an audit director, seven auditors, and an executive assistant. The FY 2017 Internal Audit Plan was developed based on the assumption that the division would be fully staffed throughout the year. The FY 2017 budget is included in this plan and is shown in Schedule 3.



Current Internal Audit staff members collectively have over 63 years auditing experience, including over 26 years at TDI. In addition, audit staff possess the following 11 professional certifications and advanced education:

� Three masters degrees � Three Certified Internal Auditors (CIA) � Three Certified Government Auditing Professionals (CGAP) � One Certified Public Accountant (CPA) � One Certification in Risk Management Assurance (CRMA) � One Certified Fraud Examiner (CFE) � One Certified Investments and Derivatives Auditor (CIDA) � One Certified Internal Controls Auditor (CICA)

Current staff are also actively pursuing the following certifications: CPA, CIA, CGAP, and CFE in order to enhance skills.

ClosingAudit plans act as a guide for audit departments. Our plan includes proposed projects and other initiatives to perform during the year. We have budgeted time for special requests so that we can be responsive to the immediate needs of the commissioners and management as they may arise throughout the fiscal year.

As discussed previously under “Acceptable Level of Risk” our plan does not, nor is it intended to, address or provide complete coverage for all TDI components or system risks. We believe that this plan allocates the resources of the Internal Audit Division to the most important priorities and risks of the agency at this point in time.

Internal Audit wishes to thank TDI management and staff for their assistance in providing information which led to the development of this proposal. In addition, the Internal Audit Division looks forward to helping the agency meet its objectives this fiscal year. For further information on the FY 2017 Internal Audit Plan, please contact the Internal Audit Director, Greg Royal, at (512) 676-6200 or by email at [email protected].



Schedule 1 – FY 2017 Internal Audit Plan Projects

Project # Project Description Program Area FY 2017 Hours

Audit, Investigation, and Advisory ProjectsProjects Started and Carried Forward from FY 20162016-302 Regulatory Policy (P&C, LAH) Reg. Policy 5002016-304 Designated Doctor Exam Scheduling DWC 5002016-305 Business Continuity Admin. Ops 3002016-306 Workplace Safety DWC 5002016-407 FY 2017 Risk Assessment Agency-wide 3202017-302 Agent and Adjuster Licensing Office Financial Reg. 800Carry-Forward Project Subtotal 2,920Information Technology Services ProjectPending General Controls/Application Controls Agency-wide 760Information Technology Services Project Subtotal 760Financial/Performance Assurance ProjectsPending Rehabilitation and Liquidation Oversight Program (FY 2016 Audit Plan) Financial Reg. 800Pending Certified Self-Insurance DWC Gen. Counsel 700Pending Subsequent Injury Fund DWC 500Pending Administrative Operations Review Admin. Ops 500Pending Mid-year Recommendations Follow-up (Internal Audit reports) Agency-wide 502017-301 Seized/Forfeited Property Audit - FY 2016 (Code of Criminal Procedures Art 59.06) Fraud/SFMO 10Financial/Performance Assurance Project Subtotal 2,560Special InitiativesVarious Reserved for special assigned audits, investigations, or management requests N/A 400Special Initiatives Subtotal 400Consulting/Advisory ProjectsPending Agency Strategy - Balanced Scorecard Workgroups Admin. Ops 100Pending Controls Survey/Risk Ranking (FY 2016 Audit Plan Project) Agency-wide 1,200Pending ITS Customer Meetings Admin. Ops 36Pending SB 20 Implementation Admin. Ops 240Pending Managed Care Quality Assurance Financial Reg. 300Pending Data Governance Agency-wide 240Pending Ethics Survey (UT students) Agency-wide 240Pending Miscellaneous Advisory Projects Agency-wide 250Consulting/Advisory Project Subtotal 2,606Audit, Investigation, and Advisory Project Subtotal 9,246Administrative and Required Internal Audit ProjectsPending Internal Audit General Administration (Auditor staff at 17.5 percent) N/A 2,604Pending Maximum Annual Vacation and Sick Leave Accrual for Each Employee N/A 1,800Pending FY 2018 Risk Assessment N/A 4002017-401 Staff Training N/A 320Pending TeamMate Build-out of Other Modules N/A 240Pending External Peer Review – Part of the State Agency Internal Audit Forum Team N/A 1502017-403 FY 2016 Internal Audit Annual Report N/A 120

Administrative and Other Internal Audit Project Subtotal 5,634Total Available Hours* 14,880

* Available Hours: (261 work days) - (13 holidays @ 8 hours/day) = 1,984 hours/year (1,984 hours x 7 auditors + 1,984 x .5 audit director hours to projects) = 14,880 Total Hours



Schedule 2 – Internal Audit Organization ChartAs of September 2016

Texas Department of InsuranceInsurance Commissioner

David C. Mattax

Division of Workers’ Compensation

Workers’ Compensation Commissioner

W. Ryan Brannan

Internal Audit DivisionDirector

Greg Royal, CPA, CIA, CIDA, CGAP, CRMA

Executive Assistant

Carrie Strmiska

Internal Auditor Kaelie

Gonzales

Internal Auditor

Crystal Crosson

Internal Auditor

Matt Milam, CIA, CGAP, CFE

Internal Auditor

Laura Cavazos

Internal Auditor

Tammara West, CIA,

CGAP

InternalAuditor

Russell Zoch, CICA

Internal AuditorNathan Beavers

Schedule 3 – FY 2017 Annual Operating BudgetExpenditure Category FY 2017Salaries and Longevity (9.0 FTEs) $ 636,007.20 Other Operating Expenses 10,016.00 Total Operating Budget $ 646,023.20

Internal Audit Fiscal Year 2017 Annual Audit PlanTexas Department of Insurance

Internal Audit Division

IAAP | 0916

Documents

Internal Audit Fiscal Year 2016 Annual Audit PlanInternal Audit Fiscal Year 2017 Annual Audit Plan September 2016 Plan Approved David C. Mattax Commissioner of Insurance. 9/14/16